I'm hoping to get some advice on a project I've been asked to look after at work. I do all of the IT for a small company that sits inside of a larger corporation. We need to prevent access to certain websites for our small group, so basically I need to setup a firewall within the infrastructure of the larger company.

The larger company is going to be setting up a separate VLAN for us, however, they don't want to use their firewall equipment to do the actual filtering, which is why I need to setup the filtering myself. I have a spare server at my disposal so I'm hoping to accomplish this with software (preferably Linux based since that usually cheap/free and I'm pretty good with Linux) instead of a hardware device if possible. I'm under the assumption that basically what I need is a firewall that will act as the gateway between our small group and the firewall of the corporation which will then lead to the Internet. I'm also hoping to still use the DHCP server of the larger company to serve our IP addresses (if that's possible to pass through the firewall). Lastly I will need to be able to filter websites based on the MAC address that's trying to access the website.

If anyone can offer advice on which firewall software would be best to use in this scenario that would be much appreciated. Also I'm looking on advice on the best way to structure the network ... should we continue using their DHCP, should we setup our own, if we use our own DHCP server, how do we prevent it from serving address to other users on other VLANs? I'm pretty decent with network stuff, just never worked in an environment with VLANs (I know the basic concepts about VLANs, but that's about it).

Thank you for all the answers so far. Based on the answers I definitely think I need a proxy server not a firewall. No need to filter all the threats with a secondary firewall since we are already behind the larger companies firewall and they are doing all the threat filtering. Is Squid the best/only choice out there for proxy servers? Should I be looking at any others?
–
Harry MuscleJul 15 '12 at 16:20

Why not using parental control, to restrict the URLs? It's in the browsers and in some anti-virus software. It's just URL blacklist, right, can be excluded via hosts file.
–
Andrew SmithJul 15 '12 at 18:20

3 Answers
3

First to answer the question of DHCP. DHCP works by sending a broadcast on a network, which means that if the DHCP server can hear the broadcast of a client (DHCP Discovery), then the client and server can negotiate an IP address.

In your case, you are going to be sat on another VLAN from the DHCP server, so effectively a separate subnet. With this in mind, if your subnet is 192.168.1.0/24 and the companies DHCP server sits on 192.168.2.0/24, your client will not be able to communicate with the DHCP server using network broadcast. This means that realistically you are free to set up a DHCP server to serve the appropriate IP address range without subsequently broadcasting out to the rest of the network.

Now it is possible to set up a DHCP Relay on your router which will pass DHCP traffic between your clients and the DHCP server of the larger company if you want to, really this is a decision for you on how you want to manage the IP addresses on your network.

Regarding firewall choice, my preference is to opt for a Linux iptables and squid proxy option. You can forward web traffic transparently to a squid proxy, this is possible using iptables:

What you can do, is to buy hardware router, and use software firewall, if you really want to. This works pretty much OK. If you want to save money, you can use cheap 10GBps router (but better with ARP table of minimum 1024 entries). The thing is, that your company will grow over time, and you will need more and more data to switch between your devices, you might need to split them as well to different vlans.

Firewall acts as a internet gateway only, so it's up to 1GBps. You need latest gen machine to handle 1GBps forwarding using Linux (like pre-dual core machine @3GHz does only 200MBps).

Later on, you can upgrade switch this way:

Today switch with 10GBps uplink and virtual chassis is a minimum requirement. It's available nearly from all vendors except form the most cheap ones like Dell (they have stacking, but it is not virtual chassis, and it's dodgy anyway).

You can upgrade Vyatta to cluster as well, by using HA mode.

Anyway, it's recommended that you use hardware firewall. Software solutions are good for cloud mainly. Vyatta would be exception because it has features of hardware solutions, like configuration interface via command line, were you setup everything from single unified interface. There is also SQUID. Snort was deprecated because it was slowing down, however this is also somewhat required if you run internet facing services.

Vyatta main role is to provide forwarding, stateful packet inspection and NAT as well web-proxy. If you need mail scanning, and other features, you can setup virtual machines with SpamAssassin, you can also setup the machine with Snort, but dont pack everything on a little unit. Even this provides good of security, it fails at stability and performance.

Also, when buying hardware for firewall, make sure it has PCIe and onboard network directly connected to the CPU and not thru some other chip. Intel sandy-bridge based system is minimum, it's same as dedicated cards with acceleration etc, which are not working just like this with any software firewall, so if you want to use your own firewall, you need to make sure it will match the performance of other "hardware" one, which is really software most of the time, with just different architecture than typical PC.

...so even single core, low power machine will handle even 10GBps no problem, as the overhead is very little. Recommended is Intel card because it has very good drivers. You might need even to tune them a bit if you do lot's of connections at high rate (to enable RSS and increase buffers).

Ps. getting proper hardware for software firewall is not easy. You need to make sure that PCIe is connected to CPU and that actually your Intel card will work on that port (e.g. it's server machine). Otherwise, you will have very poor performance, way below 1GBps, which is not enough if you do many file transfers.
–
Andrew SmithJul 15 '12 at 10:21

Ps2. Using any card with acceleration is not the best option. This requires a dedicated OS with firmware, it just doesnt work on random software firewall product. This way you would need to use certified hardware and OS, like Redhat 6 and Dell, this would work well even with accelerated Broadcom NIC.
–
Andrew SmithJul 15 '12 at 10:31

Andrew - rather than add comment after comment, you can edit your answer to include these. Please do this so we can then delete these 2 comments.
–
Rory Alsop♦Jul 15 '12 at 15:18